An Internet Protocol Multimedia Subsystem (IMS) is a Session Initiation Protocol (SIP) based session control system resulting from an extension of Packet Switching (PS) domain network, and the IMS system is constituted of a Call Session Control Function (CSCF), a Media Gateway Control Function (MGCF), a Multimedia Resource Function Controller (MRFC), a Home Subscriber Server (HSS), a Breakout Gateway Control Function (BGCF), a Multimedia Resource Function Processor (MRFP), a Media Gateway (MGW), an Application Server (AS) providing an IMS service and other functional entities. The CSCF can logically functionally divided into three logic entities of a Serving-CSCF (S-CSCF), a Proxy-CSCF (P-CSCF) and an Interrogating-CSCF (I-CSCF), where the S-CSCF is a service switching center of the IMS system to perform session control, maintain a session status, manage information of an IMS user equipment, generate billing information, etc., the P-CSCF is an initial access point of the IMS user equipment to the IMS system to perform registration of the IMS user equipment, Quality of Service (QoS) control and security management, communication with a General Packet Radio Service (GPRS) system, etc., and the I-CSCF enables communication with the IMS system, manages allocation and selection of the S-CSCF, hides a network topology and configuration from the outside, generates billing data, etc.; the BGCF provides controlled communication with another IMS system; the MGCF and the MGW enable intercommunication between the IMS system and a Circuit Switching (CS) domain system and between the IMS system and a Public Switched Telephone Network (PSTN); the MRFC provides a media resource; and the HSS stores subscription data and configuration of the IMS user equipment, authentication data of the IMS user equipment, etc.
FIG. 1 is a schematic structural diagram of an IMS system in the prior art, where an IMS user equipment accesses a P-CSCF of the IMS system to be registered with the IMS system, and subsequently an AS providing an IMS service provides the IMS user equipment with the EMS service, and the IMS user equipment can further be connected with an AS providing a non-IMS service via an interface Ut to access the non-IMS service. An AS providing an IMS service is referred to as an “IMS AS”, and an AS providing a non-IMS service is referred to as a “non-IMS AS”. An access to an IMS service and an access to a non-IMS service will be introduced below in details respectively.
Reference is made to FIG. 2 illustrating a flow chart of a method for an IMS user equipment to access an IMS service in the prior art, and a specific process flow thereof is as follows.
In the step 21, an IMS user equipment initiates an IMS registration and authentication flow to a P-CSCF/S-CSCF in an IMS system.
In the step 22, the P-CSCF/S-CSCF in the EMS system registers a login status of the EMS user equipment with the HSS, and subscription data and configuration information of the IMS user equipment are stored in the HSS.
In the step 23, the IMS user equipment transmits an SIP service request carrying the identify of a user of the IMS user equipment to the P-CSCF/S-CSCF, where the identity of the user of the IMS user equipment is carried in “P-Preferred-Identity” of a header of the SIP service request.
In the step 24, the P-CSCF judges whether the IMS user equipment has been registered upon reception of the SIP service request, and if so, the P-CSCF replaces “P-Preferred-Identity” of the header of the SIP service request with “P-Asserted-Identity”, including the identity of the authenticated user, to indicate that the identity of the IMS user equipment has been authenticated successfully, and since the identity of the user of the IMS user equipment has been stored in the P-CSCF when the IMS user equipment is registered, the P-CSCF can perform identity authentication directly on the IMS user equipment.
In the step 25, the P-CSCF forwards the modified SIP service request to an IMS AS through the S-CSCF.
In the step 26, the IMS AS determines whether the received modified SIP service request carries “P-Asserted-Identity” upon reception of the SIP service request, and if so, the IMS AS has authenticated the identity of the EMS user equipment.
In the step 27, the IMS AS responds to the P-CSCF/S-CSCF with the authentication result of successful authentication.
In the step 28, the P-CSCF/S-CSCF responds to the SIP service request of the IMS user equipment by indicating that the identity of the IMS user equipment has been authenticated successfully and the IMS user equipment can perform service interaction with the IMS AS.
In the step 29, the IMS user equipment performs service interaction directly with the IMS AS to access an IMS service provided by the IMS AS.
When no P-CSCF exists in the IMS system, the flow can proceed directly through an S-CSCF functioning as both a P-CSCF and an S-CSCF, or if a P-CSCF is present, the flow proceeds through the interaction between a P-CSCF and an S-CSCF currently serving the IMS user equipment.
As can be apparent from the foregoing process flow, the P-CSCF in the IMS system instead of the IMS AS performs identity authentication on the IMS user equipment accessing the IMS service without separate identity authentication of the IMS AS on the IMS user equipment.
Reference is made to FIG. 3 illustrating a flow chart of a method for an IMS user equipment to access a non-IMS service in the prior art, and a specific process flow is as follows.
In the step 31, an IMS user equipment initiates a Hypertext Transfer Protocol (HTTP) request to a non-IMS AS.
In the step 32, the non-IMS AS responds with a No-Grant message carrying a first random number generated randomly by the non-IMS AS and a realm of the IMS user equipment, where the realm instructs the IMS user equipment to use a username and a password for authentication.
In the step 33, the IMS user equipment detects that the message carries the realm upon reception of the message and calculates a first response value from its own username and password and the received first random number in a preset algorithm.
In the step 34, the IMS user equipment carries the calculated first response value and a second random number generated randomly by the IMS user equipment in an HTTP response message and transmits the HTTP response message to the non-IMS AS;
In the step 35, the non-IMS AS generates a second response value from its own generated first random number and the username and the password of the IMS user equipment in a preset algorithm upon reception of the HTTP response message.
In the step 36, the non-IMS AS determines whether the calculated second response value is consistent with the received first response value, and if so, the non-IMS AS has identity authentication done on the IMS user equipment.
In the step 37, the non-IMS AS calculates a third response value from the second random number generated randomly by the IMS user equipment and the username and the password of the IMS user equipment, carried in the received HTTP response message, in a preset algorithm.
In the step 38, the non-IMS AS carries the calculated third response value in a 200OK message and transmits the 200OK message to the IMS user equipment to have the IMS user equipment authenticate the non-IMS AS.
In the step 39, the IMS user equipment calculates a fourth response value from its own generated second random number and the username and the password of the IMS user equipment in a preset algorithm upon reception of the 200OK message.
In the step 310, the IMS user equipment determines whether the calculated fourth response value is consistent with the received third response value, and if so, the IMS user equipment has authenticated the non-IMS AS.
In the step 311, the IMS user equipment transmits an HTTP service request to the non-IMS AS.
In the step 312, the non-IMS AS responds to the IMS user equipment with a 200OK message and establishes a service connection with the IMS user equipment, and the IMS user equipment accesses a non-IMS service provided by the non-IMS AS.
As can be apparent from the foregoing process flow, authentication has to be performed directly between the non-IMS AS and the IMS user equipment accessing the non-IMS service because the non-IMS AS can not acquire authentication data of the IMS user equipment from the IMS system; and there is no uniform standard for authentication modes between different non-IMS ASs and the IMS user equipment, and available authentication mechanisms can include a username/password authentication mechanism, an HTTP digest mechanism, and a transport layer security mechanism with a pre-shared keyword.
In the prior art, the non-IMS AS has to authenticate each IMS user equipment accessing a non-IMS service, thus degrading the service processing efficiency of the AS.